Home > Articles > FTD on ASA 5500-X Series Hardware

FTD on ASA 5500-X Series Hardware

Chapter Description

In this sample chapter from Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall, Next-Generation Intrusion Prevention System, and Advanced Malware Protection, review the steps required to reimage and troubleshoot any Cisco ASA 5500-X Series hardware.

Installing and Configuring FTD

In this section, you learn the detailed steps involved in installing the FTD software on ASA 5500-X Series hardware. Before you install anything on an ASA, there are some prerequisites. Once you fulfill them, you can perform the remaining tasks of the reimaging process.

Figure 2-3 summarizes the steps involved in reimaging ASA 5500-X hardware to the FTD system software.

Figure 2-3

Figure 2-3 Major Steps in Reimaging ASA 5500-X Series Hardware

Fulfilling Prerequisites

You must fulfill storage and connectivity requirements before you begin reimaging. The following are the storage prerequisites:

  • To install FTD software, an ASA requires at least 3 GB free space plus additional space to store an FTD boot image (which is usually about 100 MB). See the “Verification and Troubleshooting Tools” section, later in this chapter, to learn how to determine how much free disk space an ASA has.

  • Make sure the ASA has a solid state drive (SSD) installed. See the “Verification and Troubleshooting Tools” section, later in this chapter, to learn how to determine whether an SSD is installed in an ASA.

The following are the connectivity prerequisites:

  • Using a console cable, connect your computer to the console port of the ASA that you want to reimage.

  • Ensure that you have access to TFTP and HTTP servers. You use the TFTP server to copy the firmware and boot image files to the ASA during the reimaging process. You copy the FTD system software from the HTTP server to the ASA. You can use an FTP server in lieu of an HTTP server, but you might find that a basic HTTP server is easier to set up.

Figure 2-4 shows a topology in which the management network is segregated from the data traffic, according to security best practice. An administrator computer is directly connected to an ASA through a console cable, and it also has access to the management network.

Figure 2-4

Figure 2-4 A Simple Topology in Which an ASA Inspects Data Traffic and Keeps Management Traffic Isolated

Figure 2-5 shows the simplest topology that provides both console and IP connectivity between an ASA and a computer and allows an administrator to perform reimaging and basic configuration.

Figure 2-5

Figure 2-5 The Most Basic Connectivity Between an ASA and a Server for Performing Reimaging and Basic Setup

Upgrading Firmware

If you plan to reimage a low-end ASA hardware model, such as 5506-X, 5508-X, or 5516-X, to the FTD software, you must make sure that the firmware version of the ASA is 1.1.8 or greater. See the “Verification and Troubleshooting Tools” section, later in this chapter, to learn how to determine the firmware version.

Follow these steps to upgrade the firmware (ROMMON software) of a low-end ASA model:

  • Step 1. Download the ROMMON software from software.cisco.com and store it to your TFTP server. Figure 2-6 shows the ROMMON software file asa5500-firmware-1108.SPA that you use to upgrade the firmware of low-end ASA 5500-X Series hardware before you begin the reimaging process.

    Figure 2-6

    Figure 2-6 The ROMMON Software File Information

  • Step 2. Copy the file from your TFTP server to your ASA storage. To copy a file from a TFTP server to an ASA, run the following command:

    ciscoasa# copy tftp://TFTP_server_address/filename disk0:

    Example 2-1 shows that the ROMMON software file asa5500-firmware- 1108.SPA is successfully copied from a TFTP server (IP address 10.1.1.4, for example) to the storage of ASA 5506-X hardware.

    Example 2-1 Copying a File from a TFTP Server to ASA Hardware

    ciscoasa# copy tftp://10.1.1.4/asa5500-firmware-1108.SPA disk0:
    
    Address or name of remote host [10.1.1.4]?
    Source filename [asa5500-firmware-1108.SPA]?
    Destination filename [asa5500-firmware-1108.SPA]?
    
    Accessing tftp://10.1.1.4/asa5500-firmware-1108.SPA...!!!!!!!!!!!
    Done!
    Computed Hash   SHA2: d824bdeecee1308fc64427367fa559e9
                          eefe8f182491652ee4c05e6e751f7a4f
                          5cdea28540cf60acde3ab9b65ff55a9f
                          4e0cfb84b9e2317a856580576612f4af
    
    Embedded Hash   SHA2: d824bdeecee1308fc64427367fa559e9
                          eefe8f182491652ee4c05e6e751f7a4f
                          5cdea28540cf60acde3ab9b65ff55a9f
                          4e0cfb84b9e2317a856580576612f4af
    
    Digital signature successfully validated
    Writing file disk0:/asa5500-firmware-1108.SPA...
    !!!!!!!!!
    9241408 bytes copied in 8.230 secs (1155176 bytes/sec)
    ciscoasa#
  • Step 3. Once the file is copied successfully, begin the upgrade by running the following command:

    ciscoasa# upgrade rommon disk0:/asa5500-firmware-1108.SPA

    Example 2-2 shows the command to upgrade the firmware of ASA hardware. After the ROMMON software file is verified, the ASA prompts for a confirmation to reload.

    Example 2-2 Running the Command to Begin the ROMMON Upgrade

    ciscoasa# upgrade rommon disk0:/asa5500-firmware-1108.SPA
    
    Verifying file integrity of disk0:/asa5500-firmware-1108.SPA
    
    Computed Hash   SHA2: d824bdeecee1308fc64427367fa559e9
                          eefe8f182491652ee4c05e6e751f7a4f
                          5cdea28540cf60acde3ab9b65ff55a9f
                          4e0cfb84b9e2317a856580576612f4af
    
    Embedded Hash   SHA2: d824bdeecee1308fc64427367fa559e9
                          eefe8f182491652ee4c05e6e751f7a4f
                          5cdea28540cf60acde3ab9b65ff55a9f
                          4e0cfb84b9e2317a856580576612f4af
    
    Digital signature successfully validated
    File Name                     : disk0:/asa5500-firmware-1108.SPA
    Image type                    : Release
        Signer Information
            Common Name           : abraxas
            Organization Unit     : NCS_Kenton_ASA
            Organization Name     : CiscoSystems
       Certificate Serial Number : 55831CF6
        Hash Algorithm            : SHA2 512
        Signature Algorithm       : 2048-bit RSA
        Key Version               : A
    Verification successful.
    Proceed with reload? [confirm]
  • Step 4. Press the Enter key to confirm. Example 2-3 shows the reloading of the ASA hardware after the firmware upgrade starts.

    Example 2-3 Reloading ASA Hardware After an Upgrade Starts

    ***
    *** --- START GRACEFUL SHUTDOWN ---
    ***
    *** Message to all terminals:
    ***
    ***   Performing upgrade on rom-monitor.
    Shutting down isakmp
    Shutting down webvpn
    Shutting down sw-module
    Shutting down License Controller
    Shutting down File system
    ***
    *** --- SHUTDOWN NOW ---
    ***
    *** Message to all terminals:
    ***
    ***   Performing upgrade on rom-monitor.
    Process shutdown finished
    Rebooting... (status 0x9)
    ..
    INIT: Sending processes the TERM signal
    Stopping OpenBSD Secure Shell server: sshdno /usr/sbin/sshd found; none killed
    Deconfiguring network interfaces... done.
    Sending all processes the TERM signal...
    Sending all processes the KILL signal...
    Deactivating swap...
    Unmounting local filesystems...
    Rebooting...

    During the firmware upgrade process, the ASA reboots automatically a few times. Example 2-4 shows the ASA completing the first two steps of the ROMMON upgrade process. The system reloads every time it completes a step.

    Example 2-4 Upgrading the ROMMON Software

    Rom image verified correctly
    Cisco Systems ROMMON, Version 1.1.01, RELEASE SOFTWARE
    Copyright (c) 1994-2014  by Cisco Systems, Inc.
    Compiled Mon 10/20/2014 15:59:12.05 by builder
    
    Current image running: Boot ROM0
    Last reset cause: PowerCycleRequest
    DIMM Slot 0 : Present
    INFO: Rommon upgrade state: ROMMON_UPG_START (1)
    INFO: Reset code: 0x00002000
    Firmware upgrade step 1...
    Looking for file 'disk0:/asa5500-firmware-1108.SPA'
    Located 'asa5500-firmware-1108.SPA' @ cluster 1608398.
    ###################################################################################
      ###
    ##############################################################
    Image base 0x77014018, size 9241408
    LFBFF signature verified.
    Objtype: lfbff_object_rommon (0x800000 bytes @ 0x77014238)
    Objtype: lfbff_object_fpga (0xd0100 bytes @ 0x77814258)
    INFO: FPGA version in upgrade image: 0x0202
    INFO: FPGA version currently active: 0x0202
    INFO: The FPGA image is up-to-date.
    INFO: Rommon version currently active: 1.1.01.
    INFO: Rommon version in upgrade image: 1.1.08.
    Active ROMMON: Preferred 0, selected 0, booted 0
    Switching SPI access to standby rommon 1.
    Please DO NOT reboot the unit, updating ROMMON......
    INFO: Duplicating machine state......
    Reloading now as step 1 of the rommon upgrade process...
    
    Toggling power on system board...
    Rom image verified correctly
    
    Cisco Systems ROMMON, Version 1.1.01, RELEASE SOFTWARE
    Copyright (c) 1994-2014  by Cisco Systems, Inc.
    Compiled Mon 10/20/2014 15:59:12.05 by builder
    Current image running: Boot ROM0
    Last reset cause: RP-Reset
    DIMM Slot 0 : Present
    INFO: Rommon upgrade state: ROMMON_UPG_START (1)
    INFO: Reset code: 0x00000008
    Active ROMMON: Preferred 0, selected 0, booted 0
    Firmware upgrade step 2...
    Detected current rommon upgrade is available, continue rommon upgrade process
    Rommon upgrade reset 0 in progress
    Reloading now as step 2 of the rommon upgrade process...
  • Step 5. After Step 1 and Step 2 of the upgrade process, when the ASA reloads, the ROMMON version shows 1.1.8 (see Example 2-5). The process, however, is still in progress. When the ASA prompts for a manual or automatic reboot, just wait a few seconds and let the system reboot itself.

    Example 2-5 The Last Stage of the ROMMON Upgrade Process

    Rom image verified correctly
    Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
    Copyright (c) 1994-2015  by Cisco Systems, Inc.
    Compiled Thu 06/18/2015 12:15:56.43 by builders
    
    Current image running: *Upgrade in progress* Boot ROM1
    Last reset cause: BootRomUpgrade
    DIMM Slot 0 : Present
    INFO: Rommon upgrade state: ROMMON_UPG_START (1)
    INFO: Reset code: 0x00000010
    PROM B: stopping boot timer
    Active ROMMON: Preferred 0, selected 0, booted 1
    INFO: Rommon upgrade state: ROMMON_UPG_TEST
    
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !! Please manually or auto boot ASAOS now to complete firmware upgrade !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    
    Platform ASA5506 with 4096 Mbytes of main memory
    MAC Address: a4:6c:2a:e4:6b:bf
    Using default Management Ethernet Port: 0
    
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot in 5 seconds.

    Example 2-6 shows the confirmation message you get for a successful ROMMON upgrade, after the final reboot. At this stage, the ROMMON software is fully upgraded, and you are ready to begin the next step of the reimage process.

    Example 2-6 Completion of a Successful Upgrade

    Located '.boot_string' @ cluster 1607965.
    
    #
    Attempt autoboot: "boot disk0:/asa961-50-lfbff-k8.spa"
    Located 'asa961-50-lfbff-k8.spa' @ cluster 10.
    
    ########################################################################################
      ######################################################################################
      ######################################################################################
      #################################################
    LFBFF signature verified.
    INIT: version 2.88 booting
    Starting udev
    Configuring network interfaces... done.
    Populating dev cache
    dosfsck 2.11, 12 Mar 2005, FAT32, LFN
    There are differences between boot sector and its backup.
    Differences: (offset:original/backup)
      65:01/00
      Not automatically fixing this.
    Starting check/repair pass.
    Starting verification pass.
    /dev/sdb1: 104 files, 811482/1918808 clusters
    dosfsck(/dev/sdb1) returned 0
    Mounting /dev/sdb1
    Setting the offload CPU count to 0
    IO Memory Nodes: 1
    IO Memory Per Node: 205520896 bytes
    
    Global Reserve Memory Per Node: 314572800 bytes Nodes=1
    
    LCMB: got 205520896 bytes on numa-id=0, phys=0x10d400000, virt=0x2aaaab000000
    LCMB: HEAP-CACHE POOL got 314572800 bytes on numa-id=0, virt=0x7fedbc200000
    Processor memory:   1502270072
    
    Compiled on Fri 04-Mar-16 10:50 PST by builders
    Total NICs found: 14
    i354 rev03 Gigabit Ethernet @ irq255 dev 20 index 08 MAC: a46c.2ae4.6bbf
    ivshmem rev03 Backplane Data Interface     @ index 09 MAC: 0000.0001.0002
    en_vtun rev00 Backplane Control Interface  @ index 10 MAC: 0000.0001.0001
    en_vtun rev00 Backplane Int-Mgmt Interface     @ index 11 MAC: 0000.0001.0003
    en_vtun rev00 Backplane Ext-Mgmt Interface     @ index 12 MAC: 0000.0000.0000
    en_vtun rev00 Backplane Tap Interface     @ index 13 MAC: 0000.0100.0001
    Rom-monitor was successfully upgraded.
    Verify the activation-key, it might take a while...
    .
    .
    ! Licensing and legal information are omitted for brevity
    .
    .
                    Cisco Systems, Inc.
                    170 West Tasman Drive
                    San Jose, California 95134-1706
    
    Reading from flash...
    !.
    Cryptochecksum (unchanged): 868f669d 9e09ca8b e91c32de 4ee8fd7f
    
    INFO: Power-On Self-Test in process.
    .......................
    INFO: Power-On Self-Test complete.
    INFO: Starting HW-DRBG health test...
    INFO: HW-DRBG health test passed.
    
    INFO: Starting SW-DRBG health test...
    INFO: SW-DRBG health test passed.
    Type help or '?' for a list of available commands.
    ciscoasa>

    When an ASA is running, you can also manually check its ROMMON software version, as discussed in the “Verification and Troubleshooting Tools” section, later in this chapter. Example 2-7 shows that the current firmware version is upgraded to 1.1.8.

    Example 2-7 The Upgraded Firmware Version

    ciscoasa> enable
    Password: *****
    ciscoasa# show module
    
    Mod  Card Type                                    Model              Serial No.
    ---- -------------------------------------------- ------------------ -----------
       1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD191100HG
     sfr Unknown                                      N/A                JAD191100HG
    
    Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
    ---- --------------------------------- ------------ ------------ ---------------
       1 a46c.2ae4.6bbf to a46c.2ae4.6bc8  1.0          1.1.8        9.6(1)50
     sfr a46c.2ae4.6bbe to a46c.2ae4.6bbe  N/A          N/A
    
    Mod  SSM Application Name           Status           SSM Application Version
    ---- ------------------------------ ---------------- --------------------------
    
    Mod  Status             Data Plane Status     Compatibility
    ---- ------------------ --------------------- -------------
       1 Up Sys             Not Applicable
     sfr Unresponsive       Not Applicable
    
    ciscoasa#

Installing the Boot Image

You begin the setup of the FTD software from the command line interface (CLI) of a boot image. To access the CLI of the boot image, you need to reload the ASA with the FTD boot. This section discusses the steps that are necessary to reload an ASA with an appropriate boot image on any ASA 5500-X Series hardware:

  • Step 1. Download the appropriate boot image for your ASA hardware:

    • For low-end ASA hardware, use the *.lfbff file.

    • For midrange hardware, use the *.cdisk file.

    Figure 2-7 shows the boot image file ftd-boot-9.6.2.0.lfbff that you use during the reimaging of ASA 5506-X, 5508-X, or 5516-X hardware.

    Figure 2-7

    Figure 2-7 The *.lfbff Boot Image File for Low-End ASA 5500-X Series Hardware

    Figure 2-8 shows the boot image file ftd-boot-9.6.2.0.cdisk that you use during the reimaging of ASA 5512-X, 5515-X, 5525-X, 5545-X, or 5555-X hardware.

    Figure 2-8

    Figure 2-8 The *.cdisk Boot Image File for Midrange ASA 5500-X Series Hardware

  • Step 2. Reload the ASA. As shown in Example 2-8, the ASA shuts down all its processes before it gracefully reboots.

    Example 2-8 Reloading ASA Hardware

    ciscoasa# reload
    Proceed with reload? [confirm]
    ciscoasa#
    ***
    *** --- START GRACEFUL SHUTDOWN ---
    Shutting down isakmp
    Shutting down webvpn
    Shutting down sw-module
    Shutting down License Controller
    Shutting down File system
    ***
    *** --- SHUTDOWN NOW ---
    Process shutdown finished
    Rebooting... (status 0x9)
    ..
    INIT: Sending processes the TERM signal
    Stopping OpenBSD Secure Shell server: sshdno /usr/sbin/sshd found; none killed
    Deconfiguring network interfaces... done.
    Sending all processes the TERM signal...
    Sending all processes the KILL signal...
    Deactivating swap...
    Unmounting local filesystems...
    Rebooting...
  • Step 3. Interrupt the bootup process by pressing the Esc key. Example 2-9 shows that the bootup process is interrupted and the ASA enters ROMMON mode.

    Example 2-9 Interrupting the Bootup Process

    Rom image verified correctly
    
    Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
    Copyright (c) 1994-2015  by Cisco Systems, Inc.
    Compiled Thu 06/18/2015 12:15:56.43 by builders
    
    Current image running: Boot ROM1
    Last reset cause: PowerCycleRequest
    DIMM Slot 0 : Present
    
    Platform ASA5506 with 4096 Mbytes of main memory
    MAC Address: a4:6c:2a:e4:6b:bf
    Using default Management Ethernet Port: 0
    
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot in 7 seconds.
    Boot interrupted.
    rommon 1 >
  • Step 4. To see the ROMMON configuration mode’s limited command options, run the help command. Example 2-10 shows the available commands in the ROMMON configuration mode, with the commands used to install the boot image highlighted.

    Example 2-10 Available Commands in the ROMMON Configuration Mode

    rommon 1 > help
    ?                   Display this help menu
    address             Set the local IP address
    boot                Boot an application program
    confreg             Configuration register contents display and management
    console             Console BAUD rate display and configuration
    dev                 Display a list of available file system devices
    dir                 File directory display command
    erase               erase the specified file system
    file                Set the application image file path/name to be TFTPed
    gateway             Set the default gateway IP address
    help                "help" for this menu
                        "help <command>" for specific command information
    history             Show the command line history
    netmask             Set the IP subnet mask value
    ping                Test network connectivity with ping commands
    server              Set the TFTP server IP address
    show                Display system device and status information
    tftpdnld            Download and run the image defined by "FILE"
    reboot              Reboot the system
    reload              Reboot the system
    repeat              Repeat a CLI command
    reset               Reboot the system
    set                 Display the configured environment variables
    sync                Save the environment variables to persistent storage
    unset               Clear a configured environment variable
  • Step 5. Configure the network by using the commands shown in Example 2-11. You must configure these options to ensure successful network communication between the ASA, FMC, and other servers.

    Example 2-11 Commands to Configure the Network Settings in ROMMON Mode

    rommon 2 > address 10.1.1.21
    rommon 3 > netmask 255.255.255.0
    rommon 4 > gateway 10.1.1.1
    rommon 5 > server 10.1.1.4
  • Step 6. Test the connectivity from the ASA to the TFTP server where the image files are stored, as shown in Example 2-12. You get confirmation that the ASA can communicate with the TFTP server.

    Example 2-12 A Successful ping Test from the ASA to the TFTP Server

    rommon 6 > ping 10.1.1.4
    Sending 10, 32-byte ICMP Echoes to 10.1.1.4 timeout is 4 seconds
    !!!!!!!!!!
    Success rate is 100 percent (10/10)
  • Step 7. Once connectivity is established, provide the name of the boot image file you want to download from the TFTP server, save the changes, and begin the download. Example 2-13 shows that the ASA 5506-X has successfully downloaded the boot image file ftd-boot-9.6.2.0.lfbff from a TFTP server.

    Example 2-13 Commands to Select and Download a File from a TFTP Server to ASA Hardware

    rommon 7 > file ftd-boot-9.6.2.0.lfbff
    rommon 8 > sync
    rommon 9 > tftpdnld
                 ADDRESS: 10.1.1.21
                 NETMASK: 255.255.255.0
                 GATEWAY: 10.1.1.1
                  SERVER: 10.1.1.4
                   IMAGE: ftd-boot-9.6.2.0.lfbff
                 MACADDR: a4:6c:2a:e4:6b:bf
               VERBOSITY: Progress
                   RETRY: 20
              PKTTIMEOUT: 60
                 BLKSIZE: 1460
                CHECKSUM: Yes
                    PORT: GbE/1
                 PHYMODE: Auto Detect
    
    Receiving ftd-boot-9.6.2.0.lfbff from 10.1.1.4!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    File reception completed.

    The ASA boots up automatically with the FTD boot CLI, as shown in Example 2-14.

    Example 2-14 Bootup Process of ASA Hardware with an FTD Boot Image

    Boot buffer bigbuf=348bd018
    Boot image size = 100921600 (0x603f100) bytes
    [image size]      100921600
    [MD5 signature]    0264697f6f1942b9bf80f820fb209ad5
    LFBFF signature verified.
    INIT: version 2.88 booting
    Starting udev
    Configuring network interfaces... done.
    Populating dev cache
    Detected PID ASA5506.
    Found device serial number JAD191100HG.
    Found USB flash drive /dev/sdb
    Found hard drive(s):  /dev/sda
    fsck from util-linux 2.23.2
    dosfsck 2.11, 12 Mar 2005, FAT32, LFN
    There are differences between boot sector and its backup.
    Differences: (offset:original/backup)
      65:01/00
      Not automatically fixing this.
    /dev/sdb1: 52 files, 811482/1918808 clusters
    Launching boot CLI ...
    Configuring network interface using static IP
    Bringing up network interface.
    Depending on your network, this might take a couple of minutes when using DHCP...
    ifup: interface lo already configured
    Using IPv4 address: 10.1.1.21
    INIT: Starting system message bus: dbus.
    Starting OpenBSD Secure Shell server: sshd
      generating ssh RSA key...
      generating ssh ECDSA key...
      generating ssh DSA key...
    done.
    Starting Advanced Configuration and Power Interface daemon: acpid.
    acpid: starting up
    acpid: 1 rule loaded
    acpid: waiting for events: event logging is off
    Starting ntpd: done
    Starting syslog-ng:[2016-09-19T19:43:24.781411] Connection failed; fd='15',
      server='AF_INET(127.128.254.1:514)', local='AF_INET(0.0.0.0:0)', error='Network is
      unreachable (101)'
    [2016-09-19T19:43:24.781508] Initiating connection failed, reconnecting;
      time_reopen='60'
    .
    Starting crond: OK
    
    
                Cisco FTD Boot 6.0.0 (9.6.2.)
                  Type ? for list of commands
    ciscoasa-boot>
  • Step 8. Optionally press the ? key to see the list of the available commands on the FTD boot CLI, as shown in Example 2-15. (In the next section of this chapter, you will see the commands highlighted in this example used to install an FTD software system image.)

    Example 2-15 The Command Options on the FTD Boot CLI

    ciscoasa-boot> ?
        show             => Display system information. Enter show ? for options
        system           => Control system operation
        setup            => System Setup Wizard
        support          => Support information for TAC
        delete           => Delete files
        ping             => Ping a host to check reachability
        traceroute       => Trace the route to a remote host
        exit             => Exit the session
        help             => Get help on command syntax
    ciscoasa-boot>

Installing the System Software

Installing the FTD software is the last step of the reimaging process. This section describes the steps to install the FTD system software on any ASA 5500-X series hardware:

  • Step 1. Download the FTD system software package file from software.cisco.com and copy it to an HTTP or FTP server. Figure 2-9 shows the FTD system software package ftd-6.1.0-330.pkg that you install on any low-end or midrange ASA 5500-X Series hardware during the reimaging process.

    Figure 2-9

    Figure 2-9 The *.pkg File Installed on Any Low-End or Midrange ASA Hardware Models

  • Step 2. As shown in Example 2-16, run the setup command to configure or update the network settings so that the ASA can download the FTD system software package from the HTTP server. During the installation of the boot image, you configured the network settings. Now you either verify the existing configuration or provide any missing information that was not entered before.

    Example 2-16 A Complete Walk-through of the Network Setup Process

    ciscoasa-boot> setup
    
                    Welcome to Cisco FTD Setup
                      [hit Ctrl-C to abort]
                    Default values are inside []
    
    Enter a hostname [ciscoasa]:
    Do you want to configure IPv4 address on management interface?(y/n) [Y]:
    Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]:
    Enter an IPv4 address [10.1.1.21]:
    Enter the netmask [255.255.255.0]:
    Enter the gateway [10.1.1.1]:
    Do you want to configure static IPv6 address on management interface?(y/n) [N]:
    Stateless autoconfiguration will be enabled for IPv6 addresses.
    Enter the primary DNS server IP address: 10.1.1.8
    Do you want to configure Secondary DNS Server? (y/n) [n]:
    Do you want to configure Local Domain Name? (y/n) [n]:
    Do you want to configure Search domains? (y/n) [n]:
    Do you want to enable the NTP service? [Y]:
    Enter the NTP servers separated by commas: 10.1.1.9
    
    Please review the final configuration:
    Hostname:               ciscoasa
    Management Interface Configuration
    
    IPv4 Configuration:     static
            IP Address:     10.1.1.21
            Netmask:        255.255.255.0
            Gateway:        10.1.1.1
    
    IPv6 Configuration:     Stateless autoconfiguration
    
    DNS Configuration:
            DNS Server:     10.1.1.8
    
    NTP configuration:      10.1.1.9
    
    CAUTION:
    You have selected IPv6 stateless autoconfiguration, which assigns a global address
    based on network prefix and a device identifier. Although this address is unlikely
    to change, if it does change, the system will stop functioning correctly.
    We suggest you use static addressing instead.
    Apply the changes?(y,n) [Y]:
    Configuration saved successfully!
    Applying...
    Restarting network services...
    Done.
    Press ENTER to continue...
    ciscoasa-boot>
  • Step 3. Test the connectivity, as shown in Example 2-17. This example also shows that the ASA can successfully ping from the FTD boot CLI to the HTTP server.

    Example 2-17 ping Test Between the ASA and the HTTP Server

    ciscoasa-boot> ping 10.1.1.4
    PING 10.1.1.4 (10.1.1.4) 56(84) bytes of data.
    64 bytes from 10.1.1.4: icmp_seq=1 ttl=64 time=0.364 ms
    64 bytes from 10.1.1.4: icmp_seq=2 ttl=64 time=0.352 ms
    64 bytes from 10.1.1.4: icmp_seq=3 ttl=64 time=0.326 ms
    64 bytes from 10.1.1.4: icmp_seq=4 ttl=64 time=0.313 ms
    ^C
    --- 10.1.1.4 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 2997ms
    rtt min/avg/max/mdev = 0.313/0.338/0.364/0.030 ms
    
    ciscoasa-boot>
  • Step 4. Download the FTD system software package from the HTTP server, as shown in Example 2-18. After a successful download, the file is extracted automatically.

    Example 2-18 Downloading the FTD System Software

    ciscoasa-boot> system install http://10.1.1.4/ftd-6.1.0-330.pkg
    
    ######################## WARNING ############################
    # The content of disk0: will be erased during installation! #
    #############################################################
    
    Do you want to continue? [y/N] Y
    Erasing disk0 ...
    Verifying
    Downloading...
  • Step 5. When prompted, press Y to start the upgrade process. Example 2-19 shows the extraction of the FTD system software package ftd-6.1.0-330.pkg and the beginning of the upgrade process.

    Example 2-19 Starting the Upgrade Process

    Extracting.....
    Package Detail
            Description:                    Cisco ASA-FTD 6.1.0-330 System Install
            Requires reboot:                Yes
    
    Do you want to continue with upgrade? [y]:
    Warning: Please do not interrupt the process or turn off the system.
    Doing so might leave system in unusable state.
    
    Starting upgrade process ...
    Populating new system image..
  • Step 6. When the image is populated and the system prompts you to reboot the system, press Enter to reboot. Example 2-20 shows the ASA hardware rebooting after the image is populated.

    Example 2-20 Rebooting the ASA Hardware to Complete the Upgrade

    Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.
    
    Broadcast mStopping OpenBSD Secure Shell server: sshdstopped /usr/sbin/sshd (pid 1723)
    .
    Stopping Advanced Configuration and Power Interface daemon: stopped /usr/sbin/acpid
      (pid 1727)
    acpid: exiting
    
    acpid.
    Stopping system message bus: dbus.
    Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 1893)
    done
    Stopping crond: OKs
    Deconfiguring network interfaces... done.
    Sending all processes the TERM signal...
    Sending all processes the KILL signal...
    Deactivating swap...
    Unmounting local filesystems...
    Rebooting...
    
    Rom image verified correctly
    
    Cisco Systems ROMMON, Version 1.1.8, RELEASE SOFTWARE
    Copyright (c) 1994-2015  by Cisco Systems, Inc.
    Compiled Thu 06/18/2015 12:15:56.43 by builders
    
    Current image running: Boot ROM1
    Last reset cause: PowerCycleRequest
    DIMM Slot 0 : Present
    
    Platform ASA5506 with 4096 Mbytes of main memory
    MAC Address: a4:6c:2a:e4:6b:bf
    Using default Management Ethernet Port: 0
    
    Use BREAK or ESC to interrupt boot.
    Use SPACE to begin boot immediately.
    Boot in 5 seconds.
    
    
    Located '.boot_string' @ cluster 260097.
    #
    Attempt autoboot: "boot disk0:os.img"
    Located 'os.img' @ cluster 235457.
    
    ##############################################################################################
      ############################################################################################
      ############################################################################################
      ############################################################################################
      ############################################################################################
      #####################################
    LFBFF signature verified.
    INIT: version 2.88 booting
    Starting udev
    Configuring network interfaces... done.
    Populating dev cache
    Detected PID ASA5506.
    Found device serial number JAD191100HG.
    Found USB flash drive /dev/sdb
    Found hard drive(s):  /dev/sda
    fsck from util-linux 2.23.2
    dosfsck 2.11, 12 Mar 2005, FAT32, LFN
    /dev/sdb1: 7 files, 24683/1919063 clusters

    After bootup, the initialization of the FTD software begins automatically. Example 2-21 shows the launch of FTD software and the execution of various scripts throughout the installation process.

    Example 2-21 The FTD Initialization Process

    Use ESC to interrupt boot and launch boot CLI.
    Use SPACE to launch Cisco FTD immediately.
    Cisco FTD launch in 21 seconds ...
    
    Cisco FTD launch in 0 seconds ...
    Running on kenton
    Mounting disk partitions ...
    Initializing Threat Defense ...                                       [  OK  ]
    Starting system log daemon...                                         [  OK  ]
    Stopping mysql...
    Sep 19 20:29:33 ciscoasa SF-IMS[2303]: [2303] pmtool:pmtool [ERROR] Unable to connect
      to UNIX socket at /ngfw/var/sf/run/PM_Control.sock: No such file or directory
    Starting mysql...
    Sep 19 20:29:33 ciscoasa SF-IMS[2304]: [2304] pmtool:pmtool [ERROR] Unable to connect
      to UNIX socket at /ngfw/var/sf/run/PM_Control.sock: No such file or directory
    Flushing all current IPv4 rules and user defined chains: ...success
    Clearing all current IPv4 rules and user defined chains: ...success
    Applying iptables firewall rules:
    Flushing chain 'PREROUTING'
    .
    ! Omitted the messages related to iptables flushing for brevity
    .
    Flushing chain 'OUTPUT'
    Applying rules successed
    Starting nscd...
    mkdir: created directory '/var/run/nscd'                              [  OK  ]
    Starting , please wait...grep: /ngfw/etc/motd: No such file or directory
    ...complete.
    Firstboot detected, executing scripts
    Executing S01reset_failopen_if                                        [  OK  ]
    Executing S01virtual-machine-reconfigure                              [  OK  ]
    Executing S02aws-pull-cfg                                             [  OK  ]
    Executing S02configure_onbox                                          [  OK  ]
    Executing S04fix-httpd.sh                                             [  OK  ]
    Executing S05set-mgmnt-port                                           [  OK  ]
    Executing S06addusers                                                 [  OK  ]
    Executing S07uuid-init                                                [  OK  ]
    Executing S08configure_mysql                                          [  OK  ]
    
    ************ Attention *********
    
       Initializing the configuration database.  Depending on available
       system resources (CPU, memory, and disk), this may take 30 minutes
       or more to complete.
    
    ************ Attention *********
    
    Executing S09database-init                                            [  OK  ]
    Executing S11database-populate                                        [  OK  ]
    Executing S12install_infodb                                           [  OK  ]
    Executing S15set-locale.sh                                            [  OK  ]
    Executing S16update-sensor.pl                                         [  OK  ]
    Executing S19cert-tun-init                                            [  OK  ]
    Executing S20cert-init                                                [  OK  ]
    Executing S21disable_estreamer                                        [  OK  ]
    Executing S25create_default_des.pl                                    [  OK  ]
    Executing S30init_lights_out_mgmt.pl                                  [  OK  ]
    Executing S40install_default_filters.pl                               [  OK  ]
    Executing S42install_default_dashboards.pl                            [  OK  ]
    Executing S43install_default_report_templates.pl                      [  OK  ]
    Executing S44install_default_app_filters.pl                           [  OK  ]
    Executing S45install_default_realms.pl                                [  OK  ]
    Executing S47install_default_sandbox_EO.pl                            [  OK  ]
    Executing S50install-remediation-modules                              [  OK  ]
    Executing S51install_health_policy.pl                                 [  OK  ]
    Executing S52install_system_policy.pl                                 [  OK  ]
    Executing S53change_reconciliation_baseline.pl                        [  OK  ]
    Executing S70remove_casuser.pl                                        [  OK  ]
    Executing S70update_sensor_objects.sh                                 [  OK  ]
    Executing S85patch_history-init                                       [  OK  ]
    Executing S90banner-init                                              [  OK  ]
    Executing S95copy-crontab                                             [  OK  ]
    Executing S96grow_var.sh                                              [  OK  ]
    Executing S96install_vmware_tools.pl                                  [  OK  ]
    
    ********** Attention **********
    
       Initializing the system's localization settings.  Depending on available
       system resources (CPU, memory, and disk), this may take 10 minutes
       or more to complete.
    ********** Attention **********
    Executing S96localize-templates                                       [  OK  ]
    Executing S96ovf-data.pl                                              [  OK  ]
    Executing S97compress-client-resources                                [  OK  ]
    Executing S97create_platinum_forms.pl                                 [  OK  ]
    Executing S97install_cas                                              [  OK  ]
    Executing S97install_cloud_support.pl                                 [  OK  ]
    Executing S97install_geolocation.pl                                   [  OK  ]
    Executing S97install_ssl_inspection.pl                                [  OK  ]
    Executing S97update_modprobe.pl                                       [  OK  ]
    Executing S98check-db-integrity.sh                                    [  OK  ]
    Executing S98htaccess-init                                            [  OK  ]
    Executing S98is-sru-finished.sh                                       [  OK  ]
    Executing S99correct_ipmi.pl                                          [  OK  ]
    Executing S99start-system                                             [  OK  ]
    Executing S99z_db_restore                                             [  OK  ]
    Executing S99_z_cc-integrity.sh                                       [  OK  ]
    Firstboot scripts finished.
    Configuring NTP...                                                    [  OK  ]
    fatattr: can't open '/mnt/disk0/.private2': No such file or directory
    fatattr: can't open '/mnt/disk0/.ngfw': No such file or directory
    Model reconfigure detected, executing scripts
    Pinging mysql
    Found mysql is running
    Executing 45update-sensor.pl                                          [  OK  ]
    Executing 55recalculate_arc.pl                                        [  OK  ]
    Starting xinetd:
    Mon Sep 19 20:59:07 UTC 2016
    Starting MySQL...
    Pinging mysql
    Pinging mysql, try 1
    Pinging mysql, try 2
    Found mysql is running
    Running initializeObjects...
    Stopping MySQL...
    Killing mysqld with pid 22285
    Wait for mysqld to exit\c
     done
    Mon Sep 19 20:59:32 UTC 2016
    
    Starting sfifd...                                                     [  OK  ]
    Starting Cisco ASA5506-X Threat Defense, please wait...No PM running!
    ...started.
    INIT: Starting system message bus: dbus.
    Starting OpenBSD Secure Shell server: sshd
      generating ssh RSA key...
      generating ssh ECDSA key...
      generating ssh DSA key...
    done.
    Starting Advanced Configuration and Power Interface daemon: acpid.
    Starting crond: OK
    Sep 19 20:59:42 ciscoasa SF-IMS[22997]: [22997] init script:system [INFO] pmmon
      Setting affinity to 0-3...
    pid 22993's current affinity list: 0-3
    pid 22993's new affinity list: 0-3
    Sep 19 20:59:42 ciscoasa SF-IMS[22999]: [22999] init script:system [INFO] pmmon The
      Process Manager is not running...
    Sep 19 20:59:42 ciscoasa SF-IMS[23000]: [23000] init script:system [INFO] pmmon
      Starting the Process Manager...
    Sep 19 20:59:42 ciscoasa SF-IMS[23001]: [23001] pm:pm [INFO] Using model number 75J
    
    IO Memory Nodes: 1
    IO Memory Per Node: 205520896 bytes
    
    Global Reserve Memory Per Node: 314572800 bytes Nodes=1
    
    LCMB: got 205520896 bytes on numa-id=0, phys=0x2400000, virt=0x2aaaac200000
    LCMB: HEAP-CACHE POOL got 314572800 bytes on numa-id=0, virt=0x7fa17d600000
    Processor memory:   1583098718
    
    Compiled on Tue 23-Aug-16 19:42 PDT by builders
    
    Total NICs found: 14
    .
    ! Omitted the MAC addresses, licensing and legal messages for brevity
    .
                    Cisco Systems, Inc.
                    170 West Tasman Drive
                    San Jose, California 95134-1706
    
    Reading from flash...
    !
    Cryptochecksum (changed): f410387e 8aab8a4e f71eb8a9 f8b37ef9
    
    INFO: Power-On Self-Test in process.
    .......................................................................
    INFO: Power-On Self-Test complete.
    
    INFO: Starting HW-DRBG health test...
    INFO: HW-DRBG health test passed.
    
    INFO: Starting SW-DRBG health test...
    INFO: SW-DRBG health test passed.
    Type help o '?' for a list
    Cisco ASA5506-X Threat Defense v6.1.0 (build 330)
    firepower login:
  • Step 7. At the Firepower login prompt, which indicates that the installation is complete, enter the default login credentials (username admin and password Admin123), as shown in Example 2-22.

    Example 2-22 Entering the Default Login Credentials

    firepower login: admin
    Password: Admin123
  • Step 8. When prompted to accept the End User License Agreement (EULA), press Enter to display the agreement and to accept it. Example 2-23 shows the system prompts for the EULA. The detailed legal messages are omitted from this example for brevity.

    Example 2-23 Agreeing to the EULA

    You must accept the EULA to continue.
    Press <ENTER> to display the EULA:
    END USER LICENSE AGREEMENT
    .
    .
    !The EULA messages are omitted for brevity
    .
    .
    .Please enter 'YES' or press <ENTER> to AGREE to the EULA:
  • Step 9. As the system initialization process begins, change the password for the admin user and set up the network by pressing Enter to accept the default values in brackets ([ ]). Example 2-24 illustrates the configuration of the password and network settings.

    Example 2-24 Configuring the Network After the First Login to FTD

    System initialization in progress.  Please stand by.
    You must change the password for 'admin' to continue.
    Enter new password:
    Confirm new password:
    You must configure the network to continue.
    You must configure at least one of IPv4 or IPv6.
    Do you want to configure IPv4? (y/n) [y]:
    Do you want to configure IPv6? (y/n) [n]:
    Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
    Enter an IPv4 address for the management interface [192.168.45.45]: 10.1.1.21
    Enter an IPv4 netmask for the management interface [255.255.255.0]:
    Enter the IPv4 default gateway for the management interface [192.168.45.1]: 10.1.1.1
    Enter a fully qualified hostname for this system [firepower]:
    Enter a comma-separated list of DNS servers or 'none' []:
    Enter a comma-separated list of search domains or 'none' []:
    If your networking information has changed, you will need to reconnect.
    For HTTP Proxy configuration, run 'configure network http-proxy'
  • Step 10. When the question about local management (also known as on-box management) appears, enter no.

    Example 2-25 shows the configurations related to how to manage this FTD and how to deploy it in the network. In this example, the system is configured to be managed by a dedicated management appliance (the FMC) and is deployed in routed mode.

    Example 2-25 Configuring the Deployment Type and Modes

    Manage the device locally? (yes/no) [yes]: no
    Configure firewall mode? (routed/transparent) [routed]:
    Configuring firewall mode ...
    Update policy deployment information
        - add device configuration
        - add network discovery
        - add system policy
    You can register the sensor to a Firepower Management Center and use the
    Firepower Management Center to manage it. Note that registering the sensor
    to a Firepower Management Center disables on-sensor Firepower Services
    management capabilities.
    
    When registering the sensor to a Firepower Management Center, a unique
    alphanumeric registration key is always required.  In most cases, to register
    a sensor to a Firepower Management Center, you must provide the hostname or
    the IP address along with the registration key.
    'configure manager add [hostname | ip address ] [registration key ]'
    
    However, if the sensor and the Firepower Management Center are separated by a
    NAT device, you must enter a unique NAT ID, along with the unique registration
    key.
    'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'
    
    Later, using the web interface on the Firepower Management Center, you must
    use the same registration key and, if necessary, the same NAT ID when you add
    this sensor to the Firepower Management Center.
    >

    The > prompt at the end of Example 2-25 confirms that the initial network configuration is complete. The next step is to verify network connectivity on the management interface and then begin the registration process. (Chapter 6: “The Firepower Management Network,” explains the management connection, and Chapter 7, “Firepower Licensing and Registration,” describes the registration process.)

4. Verification and Troubleshooting Tools | Next Section Previous Section

There are currently no related articles. Please check back later.